GroupWise Lockdown Michael Bell, Ulrich Neumann email@example.com, firstname.lastname@example.org
About your Presenters… Michael Bell GWAVA Lead Developer Novell Volunteer SysOp for 8 years Creator of Guinevere Director of QA at GWAVA Favorite Hobby Science Fiction Filing bugs on other devs’ products.
About your Presenters… • Ulrich Neumann • GWAVA Lead Developer • Novell Virtual Software Engineer • Novell Developer Services Volunteer SysOp • Open Source Software Engineer • Favorite Hobby • Karate
Agenda Securing your Infrastructure Securing your Server Securing your GroupWise Agents
Infrastructure Firewall Implement a Firewall. Be careful opening IP Ports. Use Proxies whenever possible. Keep logs, and consider backing them up.
Infrastructure Backup Create functional backups. Test your Backups on a regular basis and keep tapes offsite. Use GWTSA/TSAFS compliant Backup Software to obtain complete and consistent backups. Don't forget to include /home switches for each Agent Directory to GWTSA. Consider GWAVA Reload as an option!
Infrastructure Antivirus Implement Antivirus Agents at all points of entry. Make sure Virus Signature Files are up to date on a regular basis. Consider adopting AV software which has a high speed response rate to virus outbreaks. Create and enforce e-mail policy which blocks potentially malicious items. (Fingerprinting)
Server Make sure you have the latest security patches installed. Do not use CIFS to access files on a Mail Server. Set Disk Space Limits. Do not use the SYS Volume to store user data such as Post Offices. Don’t use root on Linux for services. Don't store data on a server outside the Firewall.
GroupWise General Don't grant file system rights to any user. Set all log files to “Verbose” and allow at least 30 days of logs to keep. Don't use “public” as your SNMP Community string. Disable SNMP if not used. Use SSL whenever possible Place gateway servers (GWIA, WebAccess) in DMZ when possible. Never place them on the same server as a Post Office. Avoid Windows if possible (too many attacks aimed at such servers)
GroupWise General Use isolated parent domains to avoid granting excess rights and increase reliability. Don't scan GroupWise database files for viruses. Do scan the rest! Turn off Web Consoles if not used by Redline or GWMonitor. Use a comprehensive monitoring solution such as Redline or GroupWise Monitor to watch for changes in the health and configuration of your system.
GroupWise Domains Be very paranoid about allowing ANY direct access to your domain files. Malicious attackers can (with admin rights) see and alter your entire system. Malicious attackers can mint a Trusted Application. From then on, they don’t need direct access to do horrible things via IMAP or Object API, and soon SOAP (steal mail, alter/delete mail) Check your Trusted Application list regularly to make sure no programs have been added.
GroupWise Internet Agent Upgrade from GroupWise 5.x – too many compromises and DOS attacks are possible. Turn off all SMTP relay and use NO relay exceptions except when absolutely necessary, in which case use static ip address exceptions. Mailbomb protection – consider enabling, but don't expect miracles. Country code RBLS – bad, but possibly effective. Limitation of GWIA RBL – only looks at last hop.
GroupWise Internet Agent DNS Reverse lookup – fairly effective, but consider the possible loss of communications, especially with specific ISPs or dynamic IP configurations. No exceptions are allowed! Disable all services not needed (POP3, IMAP, LDAP, HTTP). If POP3 or IMAP is enabled, require SSL on these services. Run in protected memory.
GroupWise Post Office Enable Intruder Detection. Disable SOAP, IMAP if not needed Force Clients to use Client/Server mode. Use high security authentication methods (LDAP or eDirectory authentication). LDAP authentication has many benefits uses eDirectory password uses eDirectory password expiration and other policies. Allows auditing by eDirectory auditing tools.
GroupWise Web Access Use SSL to access WebAccess. Redirect the insecure (Port 80) webpage to the secure webpage (Port 443). Use Apache2 as the preferred web server. Lock down your http server directories, and do not permit any “bare” directories to be browse. Disable unneeded Apache modules. Remove sample scripts, and http pages. Run in protected memory.